HHS Issues Limited Waiver of HIPAA Sanctions and Penalties Due to Hurricane Michael

For the second time in the last two months, Department of Health and Human Services (HHS) Secretary Alex Azar has waived certain HIPAA Privacy Rule sanctions and penalties—this time for areas affected by Hurricane Michael. Azar has declared a public health emergency in Florida and Georgia following the presidential declaration of disaster in these areas following Hurricane Michael.

According to a news bulletin from HHS, severe disasters such as Hurricane Michael bring with them additional challenges for healthcare providers, and questions “arise about the ability of entities covered by the HIPAA regulations to share information, including with friends and family, public health officials, and emergency personnel.” While the HIPAA Privacy Rule is still in effect, certain provisions of the rule under the Project Bioshield Act of 2004 and the Social Security Act are waived.

A covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule under this declaration may have any sanctions or penalties waived:

Requirements to obtain patient consent to speak with family members or friends involved in the patient’s care

Requirement to honor requests to opt out of the facility directory

Requirement to distribute a Notice of Privacy Practices

Patient’s right to request privacy restrictions

Patient’s right to request confidential communications

This waiver only applies to hospitals that have instituted a disaster protocol in the emergency declaration area for the identified emergency period, and hospitals can take advantage of the waiver for up to 72 hours from the time the facility implements its disaster protocol—unless the public health emergency is terminated first.

So far, HHS has issued similar HIPAA Privacy Rule waivers for the 2017 California wildfires and for Hurricanes Florence, Maria, Irma, Harvey, and Katrina, in addition to this most recent waiver for Hurricane Michael.

The bulletin goes on to discuss the conditions under which the HIPAA Privacy Rule always allows patient information to be shared—even without a waiver. Click here to read the bulletin.